A flaw in the Google Cloud Vertex AI SDK for Python let attackers hijack model uploads by squatting on predictable Cloud Storage bucket names and swapping in malicious pickle or joblib models. Google patched the issue in version 1.148.0, and Unit 42 reported that it found no evidence of exploitation in the wild. #GoogleCloud #VertexAI #PaloAltoNetworks #Unit42 #PickleintheMiddle
Keypoints
- The Vertex AI SDK used a predictable temporary bucket name when staging_bucket was unset.
- An attacker could create the expected bucket first and intercept the victimβs model upload.
- Replacing the uploaded model with a malicious pickle or joblib file could execute code in Googleβs serving infrastructure.
- The attack could steal OAuth tokens and expose other tenant data in Google-managed infrastructure.
- Google fixed the issue in google-cloud-aiplatform 1.148.0 and added bucket ownership verification.
Read More: https://thehackernews.com/2026/06/google-vertex-ai-sdk-flaw-let-attackers.html